New York state data security breaches have tripled since 2006: Report

The number of data security breaches reported annually to the New York state attorney general more than tripled between 2006 and 2013 to a record-setting 7.3 million records of New Yorkers exposed last year, says a new report.

Furthermore “mega breaches,” which are defined as data breach events where the personal records of at least 100,000 individuals are compromised, are becoming increasingly common, with five of the 10 largest breaches reported to the New York attorney general having occurred since 2011, according to the report issued Monday by New York Attorney General Eric T. Schneiderman.

The 89 “mega breaches” that occurred between 2006 and 2013 were responsible for close to 80% of the personal records exposed, says the report.

In 2013, breaches are estimated to have cost organizations doing business in New York more than $1.37 billion, says the report.

Hacking intrusions accounted for 2,009 breaches, or 40.8% of the total number, followed by lost or stolen equipment and documentation, which accounted for 1,167 breaches, or 23.7% of the total, and inadvertent breaches, which accounted for 997 incidents, or 20.2% of the total. “Insider wrongdoing” accounted for 511 breaches, or 10.4% of the total.

The report says hacking attacks are driven primarily by the black-market value of personal information, which can fetch up to $45 per record.

Retailers are the most likely to suffer from multiple breaches. Of the 241 entities that reported at least three breaches between 2006 and 2013, retail services accounted for 54, followed by financial services with 31, health care entities with 29, and banking entities with 27. However, by far the largest number of personal records exposed in these breaches was in the health care sector, with a total of more than 1 million within that time period.

The report also provides advice on how organizations should protect themselves. Recommendations include understanding what information the business requires for its operation, identifying and minimizing data collection practices, creating an information security plan that includes encryption, implementing an information security plan and offering mitigation products such as credit monitoring in the event of a breach.

The report, “Information Exposed: Historical Examination of Data Breaches in New York State,” is available here.